Apple’s Security Flaws: Are you Paranoid Enough Yet?

It’s hard not to be paranoid about technology these days, what with the constant onslaught of data theft, zero-day exploits, malware botnets, and run-of-the-mill security vulnerabilities.

Add into that mix the ongoing revelations aboutNSA snooping and the complicity of RSA and other tech vendors in its surveillance agenda, and it’s no surprise that the latest cases of technical eavesdropping — a major SSL vulnerability in iOS and OS X and an iOS flaw that allows malicious apps to record touchscreen presses – brought a maelstrom of criticism and scrutiny down on Apple.

While Apple promptly issued an iOS patch for the gotofail SSL bug, which left users vulnerable to man-in-the-middle attacks that monitor and record everything that transpires on unsecured public networks, it was another four days before the company shored up defenses in OS X Mavericks. “How difficult is it to release [a fix] for OS X?” asked Andrew Storms, director of DevOps at security firm CloudPassage. “Shouldn’t it have been out an hour later?”

It turns out that embarrassing security hole in the OSes’ implementation of basic Internet encryption had existed since September 2012. It didn’t take long for Apple/NSA conspiracy theories to gain traction. Security experts at this week’s RSA Conference openly speculated whether the vulnerability was a backdoor deliberately inserted for surveillance purposes — a clear sign, says NetworkWorld’s Ellen Messmer, that anxiety about state-sponsored surveillance is running high.

“One line of code — was it an accident or enemy action? I don’t know, but it’s the kind of bug I’d put in,” Bruce Schneier, CTO at Co3 Systems, said about the flaw during his presentation on government surveillance at the conference. The NSA is involved in aggressive mass surveillance, he said, and “are going to take any means necessary — including finding ways to put backdoors into commercial products, such as by code tampering.”

Daringfireball’s John Gruber sees five levels of paranoia in SSL hole theories:

The NSA was not aware of this vulnerability.

The NSA knew about it, but never exploited it.

The NSA knew about it and exploited it.

The NSA itself planted it surreptitiously.

Apple, complicit with the NSA, added it.

While Gruber identifies himself as a 3, he also considers that optimistic, given that the SSL flaw was introduced in iOS 6, which shipped in September 2012, and in a leaked PowerPoint on NSA’s PRISM surveillance program, Slide 6 described Apple as “added” as a data collection provider in October 2012.

When, on the heels of the SSL furor, security vendor FireEye revealed a vulnerability in iOS that allows the touchscreen equivalent of keylogging for apps running in the background on devices like iPhones and iPads, many were — again — quick to ask whether it was a simple coding mistake or a backdoor. “We have no evidence [it is a backdoor], but we suggest this is a possibility,” said Tao Wei, senior staff research scientist at FireEye.

In this atmosphere of heightened anxiety, perhaps security vendor CrowdStrike should have received a personal foul for piling on when it demoed an Apple OS X computer being deep friedin the course of a hack at the RSA Conference. CTO Dmitri Alperovitch showed how by targeting the machine’s APC embedded controller with a fake firmware update he was able to spike the CPU and turn off the fans. Alperovitch warned that enterprises should expect this type of cyber attack — “an attack that is not recoverable in terms of data or the machine itself” — in the future. “This is the next-generation permanent destruction,” CrowdStrike’s CEO George Kurtz concurred. “We are entering a new age of targeted destruction attacks.”

Meet the brave new world, a world where you’re thankful it’s “just” your data that’s snatched, and not your entire machine gone up in smoke.

Related Items

Perhaps the most-persistent issue that was found on any of the iOS devices this fall was the constant battery issue. The battery drain that persisted on the newest lineup of devices thanks to the newest operating system – iOS 8 was enough to make even the most-dedicat... Read More

(Reuters) - Apple Inc (AAPL.O) said its iTunes store is now carrying Sony Corp's (6758.T) "The Interview", the film that angered North Korea and triggered a cyberattack against the studio.
"We're pleased to offer 'The Interview' for rental or purchase on the iTu... Read More

Apple's iPhone 6 continues to be in strong demand, while the supply shortage appears to be easing, according to the latest data from Piper Jaffray cited in anAppleInsider article. Half of consumers who plan to buy a smartphone in the next three months intend to buy an ... Read More

Every new year, countless people make resolutions to lose weight and get fit. Most give up on those resolutions within a few weeks, most likely because they don’t have the correct equipment to assist them. The Striiv Fusion smartwatch, available at BGR Deals, is... Read More

iPhone, iPad and Android Reviews Site

I Use This App is an application review blog for mobile industry leading platforms like Android, iOS, and more. It's driven by a group of young, enthusiastic, experienced blog writers and application reviewers who test mobile apps always. Writing reviews for you so you can choose the best application for your work or play without going through the annoyance of buying a bunch of apps.